Cloufdront Masks User Agent and Remote Address

Question

We are running an SPA that communicates with an API. Both are exposed to the public via Cloudfront.

We now have the issue that the requests we see in the backend are masked by Cloudfront. Meaning:

• The Remote Address we see is the address of the AWS Cloud
• The User Agent Header field is set to "Amazon Cloudfront" and not the browser of the user

So Cloudfront somehow intercepts the request in a way we didn't anticipate.

I already went through these steps: https://aws.amazon.com/premiumsupport/knowledge-center/configure-cloudfront-to-forward-headers/ but ended up cutting the connection between the API and the frontend.

We don't care about caching implications (we don't have a lot of traffic), we just need to the right fields to show up in the backend.

Answer 1

By default, most request headers are removed, because CloudFront's default behaviors are generally designed around optimal caching. CloudFront's default header handling behavior is documented.

If you need to see specific headers at the origin, whitelist those headers for forwarding in the cache distribution. The documentation refers to this as “Selecting the Headers on Which You Want CloudFront to Base Caching” -- and that is what it does -- but that description masks what's actually happening. CloudFront removes the rest of the headers because it has no way of knowing for certain whether a specific header with a certain value might change the response that the origin generates. If it didn't remove these headers by default, there would be confusion in the other direction when users saw the "wrong" responses served from the cache.

In your case, you almost certainly don't want to include the Host header in what you are whitelisting for forwarding.

When testing, especially, be sure you also set the Error Caching Minimum TTL to 0, because the default value is 300 seconds... so you can't see whether the problem is fixed for up to 5 minutes after you fix it. This default is also by design, a protective measure to avoid overloading your origin with requests that are likely to continue to fail.

When examining responses from CloudFront, keep an eye on the Age response header, which is present any time the response is served from cache. It tells you how long it's been (in seconds) since CloudFront obtained the response it is currently returning to you.

If you want to disable CloudFront caching, you can set Maximum, Minimum, and Default TTL all to 0 (this only affects 2xx and 3xx HTTP responses -- errors are cached for a different time window, as noted above), or your origin can consistently return Cache-Control: s-maxage=0, which will prevent CloudFront from caching the response.